See how top teams stay future-ready for audits. 🚀
Glossary
AI Compliance

Deployer

Under the EU AI Act, a Deployer (previously referred to as the "User" in early drafts) is defined as any natural or legal person, public authority, agency, or other body using an AI system under its authority, except where the AI system is used in the course of a personal non-professional activity.

While the "Provider" creates the AI tool, the Deployer is the entity that actually implements it in a real-world context. For example, if a company buys an AI-powered recruitment tool to screen job applicants, that company is the Deployer. The regulation recognizes that risks often materialize not just in how a model is built, but in how it is used.

For High-Risk AI Systems, Deployers have specific operational obligations under Article 26, including:

  • Appropriate Use: Taking technical and organizational measures to ensure the system is used in accordance with the instructions provided by the Provider.
  • Human Oversight: Assigning competent, trained natural persons to oversee the AI system, ensuring they have the authority to intervene or stop the system if necessary.
  • Input Data Relevance: Ensuring that the input data (the data fed into the system during operation) is relevant and sufficiently representative for the intended purpose, to prevent "garbage in, garbage out" scenarios or bias.
  • Monitoring & Logs: continuously monitoring the system for anomalies and retaining automatically generated logs for at least six months (or longer, depending on sector-specific laws).
  • Fundamental Rights Impact Assessment (FRIA): For specific deployers (such as public bodies or banks), conducting an assessment of how the system might impact fundamental rights before deployment.
  • Informing Workers: Employers must inform workers and their representatives before putting a high-risk AI system into service in the workplace.

Strategic Distinction: The shift from "User" to "Deployer" clarifies the liability structure. The Provider is liable for the product's compliance (e.g., accuracy, safety testing), while the Deployer is liable for its usage (e.g., not using a medical diagnostic tool to grade student exams). Crucially, a Deployer can become a Provider if they make substantial modifications to the system or market it under their own name.

Subscribe to our newsletter
Get monthly updates and curated industry insights
Subscribe
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Terms

Ethical AI governance 

Ethical AI Governance is the establishment of a comprehensive organizational framework, extending beyond strict legal compliance, that integrates ethical principles into the entire AI lifecycle, fostering a culture of responsible innovation and proactive risk stewardship as encouraged by the EU AI Act.

Learn More
Privacy-preserving AI 

Privacy-Preserving AI refers to the principle and set of technical practices that align AI system development with data protection laws, requiring that AI systems—especially high-risk ones—are designed from the outset to minimize the collection and exposure of personal data, thereby upholding the principles of data minimization, purpose limitation, and integrity.

Learn More
Fairness and bias mitigation

Fairness and Bias Mitigation constitute a core set of mandatory requirements under the EU AI Act, obliging providers of high-risk systems to proactively address risks of discrimination by employing appropriate data governance and technical measures throughout the system's lifecycle.

Learn More

Explore more resources

How Scrut helps you prioritize your compliance tasks
Learn More
Scrut innovations: December 2025 snapshot
Learn More
How Scrut helps you prioritize your compliance tasks

Learn More

Ready to see what security-first GRC really looks like?

The Scrut Platform helps you move fast, stay compliant, and build securely from the start.

Book a Demo
Book a Demo
Platform
Why ScrutExplore the PlatformSimplify ComplianceStreamline AuditsEmpower Your EmployeesMonitor Cyber RiskAssess Third-Party RiskValidate User PrivilegesManage Asset InventoryDemonstrate TrustAI-Powered GRCIntegrate Your Tech Stack
Frameworks
SOC 2ISO 27001GDPRPCI DSSHIPAANIST AI RMFCustom FrameworksAll Frameworks
Company Stages
StartupGrowthEnterprise
Industry
Enterprise SoftwareFinancial ServicesHealthcareTravel and TourismEducation
Resources
BlogEbooksPodcastSuccess StoriesWebinarsEventsGlossaryFAQs
Hubs
SOC 2 HubISO 27001 HubHIPAA HubExplore All Hubs
Partners
Become a PartnerFind a Partner
Company
CustomersAboutCareersNewsroomSecurity
TrustTerms of UsePrivacy PolicyCookies Policy
© 2024 Scrut Automation. All Rights Reserved.